Software security hole 'prematurely' exposed

The botched disclosure of a security flaw in the popular Apache Web server
software has led to calls for the establishment of a software vulnerability
coordination centre.

The Apache Web server is the most popular available, accounting for more than
56 per cent of all Web servers on the Internet. There are more than 21 million
Apache Web servers globally, according to the latest Netcraft survey.

Apache is an open-source program maintained and published by the Apache Software
Foundation, an online community of software developers.

An Internet Security Systems (ISS) research team released details of the security
hole on Monday last week before consulting the Apache Software Foundation. ISS
was criticised for prematurely releasing details of the vulnerability to the
public.

ISS is a multinational company, which develops security products such as intrusion
detection systems and vulnerability scanners.");document.write("

advertisement

");
}
}
// -->

An Apache Foundation announcement said it knew of the vulnerability and had
been working on the problem before the premature disclosure.

The foundation said the fix for the security hole released by ISS did not eradicate
the problem.

This latest incident has sparked calls for the establishment of an independent
vulnerability disclosure centre. The fiasco has also reignited debate over vulnerability
disclosure policy, a highly contentious issue in the network security industry.

The risk to users was elevated by the fact that a similar vulnerability was
recently discovered in Microsoft's IIS Web server software, thus the hacking
community was already familiar with the techniques used to exploit the security
flaw.

Within 24 hours of the disclosure, underground hacking groups had already begun
distributing an exploit for the security hole.

ISS said it did not consult with the Apache Software Foundation before releasing
details of the vulnerability because Apache was an open-source collective and
ISS felt that consultation was not required.

The Computer Emergency Response Team (CERT), a centre for reporting Internet
security problems, also released an advisory concerning the Apache problem.
The statement notably excluded the ISS team from its thank-you section. The
advisory also tersely stated that the publication of this advisory was unexpectedly
accelerated.